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Formal methods are widely recognized as a powerful engineering method for the specification, simu¬ 
lation, development, and verification of distributed interactive systems. However, most formal meth¬ 
ods rely on a two-valued logic, and are therefore limited to the axioms of that logic: a specification 
is valid or invalid, component behavior is realizable or not, safety properties hold or are violated, 
systems are available or unavailable. Especially when the problem domain entails uncertainty, im¬ 
preciseness, and vagueness, the appliance of such methods becomes a challenging task. In order to 
overcome the limitations resulting from the strict modus operandi of formal methods, the main ob¬ 
jective of this work is to relax the boolean notion of formal specifications by using fuzzy logic. The 
present approach is based on Focus theory, a model-based and strictly formal method for component- 
based interactive systems. The contribution of this work is twofold: i) we introduce a specification 
technique based on fuzzy logic which can be used on top of Focus to develop formal specifications 
in a qualitative fashion; ii) we partially extend Focus theory to a fuzzy one which allows the speci¬ 
fication of fuzzy components and fuzzy interactions. While the former provides a methodology for 
approximating I/O behaviors under imprecision, the latter enables to capture a more quantitative view 
of specification properties such as realizability. 


1 Introduction 


Formal methods are widely recognized as a powerful engineering method for the specification of interac¬ 
tive systems (3]]. They follow the principle of ‘‘correctness by construction” and are therefore well suited 
for security-critical systems (TlJ. Although the promises of formal methods are well known |16| , there 
are many limitations preventing the usage in industrial software development. The following limitations 
are generally identified in literature |4}[22j as the main blockers: 1) Limited scope : Formal methods are 
not well suited to specifying user and environment interfaces and interactions; 2) Limited scalability: As 
systems increase in size, the time and effort required to develop a formal specification grows dispropor¬ 
tionately; 3 ) Limited expressiveness: standard formal methods are not capable to quantify values between 
the “absolute truth” and the “absolute false”. 

Through the longtime experience obtained within the research projects SPES [21] and E-EnergjQ 
we empirically confirmed the presence and challenges of the above stated limitations for the avionic, 
automotive, and smart grid domain. Driven from the individual problems recognized in each domain, 
there is a natural question whether it is possible to extend standard formal methods to allow on the one 
hand to speed up the development of specifications while on the other hand the specification should 
remain formal enough to allow the promises of formal methods such as verification, model checking, 
etc. To advance this overarching question we distinguish between two major problem categories: 
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Rapid Formal Methods (Bounded Top-Down) 
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Figure 1: (A) Instead of an iterative refinement we suggest to proceed with formal modeling as early as 
possible (B) We propose a specification technique for: 1) formalizing qualitative properties of compo¬ 
nents and; 2) for approximating component behavior in terms of a rule base (C) we provide an equiva¬ 
lence model which allows to capture distances between specifications and systems 


Problem Statement 1: Formal methods, such as Focus |3j or Z [13 |, permit the precise and unambigu¬ 
ous modeling of interactive component behavior. To achieve that, it’s necessary to formalize the informal 
system requirements. Since vagueness, imprecision, and ambiguity are inherent in natural language, the 
informal system requirements suffer also from this. Thus, a tight feedback loop between detailed re¬ 
quirements specification and formal specification is observed and repeated until the formal specification 
becomes precise enough to continue with the implementation. Nevertheless, some system problems, 
particularly those drawn from the systems engineering domain, where the system's context includes user 
and environment interactions, may be difficult to model in crisp or precise terms. Furthermore, in order 
to meet the project’s time constraints, it may be desirable that formal methods should commence as early 
as possible, even though the understanding of parts of the problem domain is only approximate. Hence, 
the first problem we deal with in this paper is visualized in Figure[l]and addresses the research question: 
How to soften the aforementioned tight feedback loop? 


Problem Statement 2: Once a formal system specification is defined, standard verification systems 
(e.g. Isabelle pOfl ) return a boolean answer that indicates whether a system behavior conforms to its 
specification. Hence, two distinct behavior clusters are formed, namely that of correct and that of in¬ 
correct behaviors. However, not all correct behaviors are equally good, and not all incorrect behaviors 
are equally bad. Thus, a second research question rises whether it is possible to relax the strict boolean 
notion of formal methods to capture a more fine grained view as depicted in Figure [T] between specifi¬ 
cation and possible implementations. Such a view, allows for quantitative reasoning about specification 
properties such as realizability, safety, and liveness, to name only a few. 


Motivation and Research Objective: The identified problems are closely related to the strict math¬ 
ematical concepts used in formal methods. Most of them are based on crisp sets and on a two-valued 
logic, and are therefore limited to the axioms of that logic. Many researcher [15] 191 have successfully 
applied probabilistic and stochastic approaches to deal with uncertainty resulting from the lack of infor¬ 
mation. However, there is also another source of uncertainty, resulting from the inability to characterize 
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information. The latter is also the kind of uncertainty we address in this work. In recent years, there is a 
number of research attempts 00 T2j[T7][T8j, which point out the need for emerging ideas and concepts 
to overcome these limitations. Indeed, most existing approaches, especially those addressing the second 
problem are based on distance specification [4}|5] 121. Their attempt is to relax the boolean notion by 
defining custom distances for each specification property and to measure the corresponding deviation. 
The alternative we suggest in this work is an innovative approach where we use fuzzy logic to tackle with 
this problem. The overall idea is schematically depicted in Figure [l]and can be understood as a combina¬ 
tion of rapid prototyping with formal methods. We call this engineering method Rapid Formal Methods 
(RFM). The research objective is to establish the basic foundations and concepts needed towards a com¬ 
plete theory for the specification of fuzzy interactive systems. Such a theory should provide the necessary 
concepts for developing softer specifications but also for modeling fuzzy interactions. The presentation 
of a complete theory within this paper is not possible and thus we concentrate on component behavior. 
Structure: Section [2] presents the related foundations of Focus and fuzzy set theory. In addition the 
conventions made for this paper are declared. Section[3]describes how fuzzy logic applies on top of Focus 
to develop specifications based on qualitative properties. In Section [4] the concept of fuzzy components 
is introduced and the necessary formalisms are presented. Section [5]lists the related work and establishes 
a border between this and other approaches. Finally, Section[6]concludes the present work and describes 
possible future directions. 


2 Preliminaries 

Focus Theory. We base our approach on Focus [3j, a model-based and strictly formal software and 
systems engineering method for distributed interactive systems. The method builds on top of FTigh- 
Order, two-valued, typed Logic (HOL |TJ), which describes systems in terms of their structure (syntactic) 
and behavior (semantic). The system structure is determined by a static hierarchy of components, each 
defining an interface I ► O through a set of typed input channels /El and typed output channels O E O. 

The central concept of Focus is that of a stream, which is used to represent communication histories. 
Let M be a given set of messages. A stream s over the set M is a finite (M*) or an infinite (M“) sequence 
of elements from M. Furthermore, the set of timed streams denoted by =def represent an 

infinite history of finite communications over a channel that are carried out in a discrete time frame. The 
k-th sequence in a timed stream represents the sequence of messages exchanged on the channel in the 
k-th time interval. 

Further, different components can be connected through I/O channels to describe component inter¬ 
action through message exchange. Hence, component behavior is determined by a mapping from the set 
of possible input histories (streams over input channels I) to the set of possible output histories (streams 
over output channels O). Therefore, the semantic interface of a component is denoted by a set-valued 
function F : / —> p( O ). For example, this mapping can be expressed by means of automata includ¬ 
ing states and transitions with guards over input histories and actions over output histories, but other 
description techniques such as table specifications 0 are supported in principle as well. 


Fuzzy Set Theory. We assume that the reader has a basic knowledge of fuzzy set theory and fuzzy 
logic. For a detailed description, we refer to [ 14 24]251. 

A fuzzy set p of X is a function from the reference set X to the unit interval, formally p : X —> [0,1]. 
1F(X) denotes the set of all fuzzy sets of X. The value p(x) is called degree of truth and the function p 
is called membership function. 
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Pa(x) 

A fuzzy set can be represented by a continuous membership func¬ 
tion p, or by a set A of ordered pairs. The latter is denoted by 
A = {(x,Pa(x)) | * G X}. The set supp(A ) =d e f {x £ X \ Pa(x) > t 
0} is called support of A. The set [A] a =def {x £ X \ p(x) > 
a} is called a-cut of A. The fuzzy set A is often denoted by 
{Pa(xi)/ xi,pA(x n )/x n }- Now let V. K C R be universal sets, then a _ 
fuzzy relation R is a fuzzy set given by R = {((x, y), p R (x, y) ) | (x,y) £ 

X x y}. Qualitatively, a fuzzy relation can be understood as an ex¬ 
pression of the form R = “x is heavier than y”, where x £ X, y £Y 
and R C X x T. Finally, let 7?i(x,y) C X xY and Ri(y,z ) C Y x Z 

be two fuzzy relations. The composition of them is denoted by 7?i o R 2 defined in X x Z. The mem¬ 
bership function of the composed relation is given by the max-min composition denoted by Pr i0 r , = 
SupyMin [p R] {X)y) , PR 2 (y, z )] ■ 


[4. 


upp(A) 


n 


Conventions. Throughout this paper we make usage of some basic operators on streams. Let 5 be a 
stream, then (s.k) denotes the k -th element of the stream, s@t denotes the element of a timed stream 
at time point t, (5|k) denotes the sequence of the first k sequences/messages in the stream and ( #s ) is 
the number of elements in s. For an infinite stream ( #s ) = °o. Furthermore, we define the functions 
max(s)/sup(s) and min(s)/inf (s), returning the maximum/supremum and minimum/infimum element of 
a finite/infinite stream, respectively. By .v \©S 2 we denote the concatenation of two streams. In general, 
messages of any type are supported by streams but for readability we use only the set of real numbers M. 
Types and sets used in any context, i.e. x : T and x £ T, respectively, are by default to be understood as 
crisp. Fuzzy sets are always stated explicitly. Fuzzy types are recognized by the prefix {J r _), followed 
by the type-name. We define the domain and the range of a fuzzy set by dom.pA =def A and rng.pA =def 
{p A (x)\x G A}. 


3 Fuzzy Logic on Top of Focus 


In this Section we apply fuzzy logic on top of Focus to develop 
soft specifications for interactive systems. Consider the following 
simple example of a Virtual Power Plant (VPP) which exchanges 
weather information with its environment (i.e. weather station) and 
produces power to supply a network of consumers. A system ac¬ 
cording to Focus is specified if the syntactic and the semantic in¬ 
terface arc fully specified. The former specifies how the system 
interact (7 ► O ) with its environment while the latter specifies the 
behavior of the component denoted by B : / —> piO). Formalizing the behavior of a component is 
not always easy. In the given example one first has to decompose the system in its elementary building 
blocks, for example a set of solar panels. Afterwards the formalization by means of mathematical models 
like differential equations of each behavior is required. For a detailed overview on how to apply formal 
methods to smart grid systems and the coherent challenges, we refer to ||9| and 1101. 
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3.1 Syntactic Interface - I/O Specification 

First we have to extend the syntactic interface for the introduced example. As illustrated above the 
(/ ► O) of the VPP consists of its input channels w,t, its output channel p, and the types of messages 
that are transmitted on them. Messages received on w/t are of type W/T respectively, and messages sent 
along p are of type P. Since channels are typed, and Focus uses crisp sets to define types, we introduce a 
new concept namely that of fuzzy properties and fuzzy ports. 

Definition 1 (Fuzzy Property). A fuzzy property p is a three-tuple (X, E ,, 7l>), where X is the universe of 
discourse which can be referenced by p, E, is a linguistic term which characterizes the property and : 
X —^ [0,1 ] U {_L} is the membership function. The value 7Z> (jt,-) is an indicator to what degree the property 
holds for a given jq £ X. A fuzzy property can be represented by a fuzzy set = { (x. 71% (jt)) | x £ A}, 
which is fully specified by the three-tuple. By V we denote the set of all fuzzy properties. 

Example 1. The tuple (T.HIGH ,7Zhigh), where T = {t £ M | (—30 < t < 40)} defines a property 
which describes the high temperature for the VPP. A possible representation could then be Thigh = 
{0/15,0.3/20,0.6/25,0.9/30,1/35}, where the temperature of 15°C are considered to be high with a 
degree of truth 0, the temperature of 20°C are considered to be high with a degree of truth 0.3, and so on. 

Definition 2 (Total Fuzzy Property). We say that a property p = (X, <§, is total, denoted by Def tota i (p) 
if: 

Def tota i (p) => Vx £ X 3y £ [0,1] : (x) =y (1) 

Definition 3 (Partial Fuzzy Property). We say that a property p = (X ,q.7t A is partial, denoted by 

Defpartial (p) if: 

Defpartial (p) ^ £ X . 71 ^ (x ) —_L (2) 

In example[l] the defined property is partial because 3t £ T\%high (t) =T, e.g. 7Zhigh{ 28) =_L. Defining 
total properties is time intensive, mostly because of the partial known interaction with the environment. 
Additionally, the possible deployment of a system in multiple environments requires to define each prop¬ 
erty separately for each environment. We will show later in this paper how to overcome this issues by 
defining mapping strategies over I/O streams. 

Definition 4 (Fuzzy Port). A fuzzy port 0/- over a type T is a set of fuzzy properties ®t = {p £ V}, 
which satisfies the following two conditions: 

- Each property type is a subset of T, formally: 

Vp £ 0 r p.X C T (cl) 

- Each property is uniquely characterized by its linguistic term, formally: 

Vpi,p 2 £ & T |pi t^P 2 ~>Pi4 ¥=P 2 -E, (c2) 

A fuzzy port 0-/ is said to be well defined, only if, cl and c2 are satisfied, 0y F cl Ac2. Graphically, a 
fuzzy input/output port is denoted by a white/black circle (o)/(»), respectively, at the boundary of a com¬ 
ponent. By IPs/OPs we denote the set of all fuzzy input/output ports for a given system S. Furthermore, 
by p® T we denote the property p which belongs to the fuzzy port 0y. This notation is further generalized 
also for the elements t, &T , 7tf T of a property. 

Since fuzzy ports are formally specified we can now connect channels with fuzzy ports. I/O channels 
can be connected to I/O fuzzy ports respectively through connections. A connection is defined as the 
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Figure 2: Syntactic Interface Specification for the VPP 


binding of a concrete channel to a concrete fuzzy port. Note that not every channel can be connected 
to a concrete port. This is because ports and channels are specified separately. While the former is 
a characteristic of the component to be developed the latter may preexist i.e. consider we develop a 
component for an already existing system. Thus, following connectivity property has to hold: 

Definition 5 (Connectivity). A channel c : C can be connected with a fuzzy port only if: C C T . This 
property guarantees that each message transmitted over the channel c can be interpreted by the port 07 -. 

For the VPP example we define the set of fuzzy input ports IPypp = {0h'-0t}, where 0w = 
{Wsunny, Wcloudy} (Figure [I]- A) and ® T ={Tlow, Taverage, Thigh } (Figure | 2 [B). The set of fuzzy 
output ports OPvpp = {0p} contains a single fuzzy port ® P ={P L ow , Paverage, Phigh} (Figure | 2 }C). 
Figure [2] denotes the defined total properties of each fuzzy port. Intuitively a fuzzy port takes the role 
of an interpreter. For a given message received at some time point t over a channel c, the port gives 
all possible interpretations for each property. For example, the temperature of 23° can be interpreted to 
be high/average/low with degree of truth 0.2/0.6/0, respectively. Hence, given a port 0y and a measure 
t €T, a port interpretation defines a total order < on 0^, e.g. T P ow < Thigh < Taverage |f =23 

Concluding, the syntactic interface of a component is fully specified if 1) its I/O channels are speci¬ 
fied and additionally to Focus theory 2) the corresponding fuzzy I/O ports are well defined. 

3.2 Semantic Interface - Behavior Specification 

3.2.1 Rule Base Specification. 

After specifying the syntactic interface of a system, we now specify the semantic by a rule base. Let 
/ = {/1 : : /„} and O = {o i : Oi,...,o m : O m } be a set of typed I/O channels. Furthermore, let 

IP = {0/,,...,0/ n } and OP = {©o!,...,00 m } represent the well defined fuzzy ports that correspond to 
the typed I/O channels. For readability, we write p 1 instead of /; 0 ' ; to denote that a property p e 0/,. 
Then, a single rule for a specific oGO has generally the form: 

R°: if i\@t is ^ .. and ... i„@t is then o@(t + 1) is £ r , r = 1, ,.,k 


(3) 
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R:T^p(0) 



Figure 3: Behavior interpretation of a rule based specification 


where q J \ ' ■..., , and q r represent the linguistic terms that correspond to the fuzzy properties of a fuzzy 

port such that £ ^ = p.E, \ p G 0/ ( , j = 1 , ...,n and E, r = p.lq \ p G &o- 


3.2.2 Behavior Specification 


In the following we explain how the behavior function can be defined. Figure [3] depicts the required 
modules for the behavior specification. A tuple (i\ @t, ...,i n @t) G I\ x ... x /„ denotes the measured input 
picked up by the syntactic interface at some time point t. For each rule R, in the rule base we determine 
the degree to which the measured input fulfills the premise of the rule, called degree of applicability a, = 
min{n^ (/i),..., (/„)}. The applicability degrees are passed to the implication module where each 

rule R, implies for the measured input the fuzzy output set n°* put £ Rr ' : O —>• [0,1], o i—> min {a,, K^ r (o)}. 
The output of a rule R r is a fuzzy set of output values obtained by cutting of the fuzzy set 7Z> at the level 
of applicability a, . The results are passed to the assembling module which combines all calculated fuzzy 
output sets (one for each rule) into a single fuzzy output set by determining the maximum nU ,,n "} R) : 

SI )-)W 

O' —> [0,1], o' i—» pL “J Rr> }. The fuzzy output set is passed to the defuzzyfication module 

which decides for a crisp value o' cris by selecting the value with the maximum membership degree. In 
case where more values have the same degree the mean of maxima is selected. Finally, the crisp output 
value is passed to the output stream o. In case of multiple output channels the above procedure is repeated 
for each o,- GO,i= 1 Thus, the behavior of a system S is fully specified by the set of all output 

specifications Rs = {R"' , ...,R° m }. Given a set of timed input streams, the output streams are evaluated 
according to Rs for each time point. 


Example 2. For the example depicted in Figure [2] let the fuzzy properties be defined according to the fol- 

1r,ii;inrr eflipmp' T _ / 2d 22 22 _L \ T J 2T 2d 22 2d i\ W J-2 2d 22 2d It. 

lowing scheme. Ihigh i 10 ’ 20 > 25 > 30 > 35 > , * L0W ~ i 20 > 15 > 10 ’ 5 ’ 0 J ’ ™ sunny — { g0 > 60 > 40 > 20 > 0 > > 

Tj 7 _ r 0 0.4 0.6 0.8 1 i D _ ro 0.4 0.6 0.8 ti d _ ro 0.4 0.6 0.8 ti 

W CLOUDY — { 20 ) 40 ) 60 ’ 80 ’ 100 J ’ ^HIGH — Ip 2 > 3 ’ 4 ’ 5 J’ “LOW ~l 4 ’ 3 ’ 2 > 1 > 0 

Furthermore, let R p be the rule base specification containing the following rules: 


Rp. if? is HIGH and w is SUNNY then p is HIGH 
Ry. if t is LOW and w is CLOUDY then p is LOW 
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Given the tuple {t@t\,w@t\) = (20,40) denoting the measured input at time point t\, we are seek¬ 
ing for the output p. As a first step we calculate the degree of applicability for each rule. Thus, 
0 !i = n'iin{7i^jQ^(20), ^sunny^^} = w/n{0.4,0.6} = 0.4 and Oh = ni//i{7r^^,(20), = 

min{ 0.2,0.4} = 0.2. By cutting of the fuzzy sets Phigh , Plow to the degree of applicability (X\ and 0 : 2 , re¬ 
spectively, we get the output value of each rule: ^high^un NY = {l>^>Tr>X>^} and Kow.cloudy = 

By assembling the fuzzy outputs of each rule we get: °) ’ TEOfMl & 

max(02,0A) ' »^(0.2,0.4) ? ^(0,0.4) ^ max{0,0A) y = ^}_ Finally> a ppl yin g the mean of 

maxima we get o = 3.5 which is the crisp output that is passed to the output channel p. 

Theorem 1. Every rule based behavior specification Rs = { R °',.... R° m }, where R°‘ is of the generally 
form given by equation [i] has a deterministic behavior interpretation R : / —> p{0), which defines a 
total deterministic Moore machine (A, A) with transition function: 


A : (£ x (/ -> M*)) -> p(E x (O -> M*)) 


(4) 


The above theorem states that despite the fact that the rule based behavior specification relies on fuzzy 
properties, the component behavior from a black box point of view is not fuzzy at all. This implies, that 
the abstraction from a rule based behavior specification leads to a crisp deterministic interface behavior 
R. Consequently, tools like Autofocus [2j and theorem provers like Isabelle [201 can be further used for 
behavior analysis. 


3.3 Mapping Strategies 

The definition of total properties requires a total mapping from the reference set to the unit interval. This 
mapping may be achievable for static properties such as the speed of a car. However, most properties 
especially when modeling complex systems with environmental interactions are in nature not static. How 
high temperature should be interpreted depends highly on the geographically location the system will be 
deployed in. Furthermore, the temperature of 15°C may considered to be high in winter but only average 
in summer. Therefore, properties can be also time dependent. To deal with location and time dependency 
of properties we introduce the concept of mapping strategies. Such a strategy defines the membership 
function of a property according to the observed history of a channel. Thus, the property adapts to the 
location of a component. Additionally, a threshold for the history length may be declared to consider 
only recent interactions, this guarantees a smooth adaption of the membership function over time. 

Definition 6 (Mapping Strategy). A mapping strategy for a given property p = (X,^,nr )(partial or total) 
is a high order function over a stream to a membership function for that property, formally: 


mapstr^ : Stream X,NU {°°} — > ( It^ : X —> [0,1]) (5) 

Example 3 (Mapping Strategy). For the VPP example the signature of a concrete mapping strategy for 
the property average temperature Tavergage could be declared as: 

fct mapstrj AVERAGE (t : Stream T, n: Nat) fct Jte (x : T){ 
ret gaussmf(min(t|n), max(t|.n))} 
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4 Fuzzy Components 

In Section [3] we showed that fuzzy logic is well suited for modeling soft properties and develop rule 
based specifications. We proved that the abstraction of a rule based behavior specification leads to a crisp 
deterministic interface behavior R : I —y O. However, not all correct behaviors are equally good, and not 
all incorrect behaviors are equally bad. Thus, we introduce the concept of fuzzy components and fuzzy 
behavior of them. This description yields a quantitative reasoning about component behaviors. Figure [4] 
depicts the extension of a component with deterministic behavior b : / — y O to a fuzzy component with 
fuzzy behavior b : / ■— >0 which is the subject of this section. 



4.1 Basic Adaption 


To enable fuzzy component behavior first we have to extend Focus theory in order to deal with fuzzy 
types. Thus, we introduce the notion of fuzzy types/channels. The prefix symbol T defines a fuzzy type 
as a total function from the crisp reference type T to the unit interval [0,1], denoted by J~T : T —y [0,1], 
Now, let a set Tp of fuzzy types J~T be given. By Cp we denote the set of fuzzy channels. Furthermore, 
we assume that we have given a fuzzy type assignment for the fuzzy channels: fJype : Cp —> Tp. Given 
a set Cp of fuzzy channels, a valuation or history of a fuzzy channel is denoted by: 

Cp = {x : Cp —> : Vc 6 Cp : x.c £ {dom .(/ type(c ))}' V "} ( 6 ) 


A valuation of a fuzzy channel x <E Cp associates a stream s of elements of type dom.f Jype(c) with 
each fuzzy channel c £ Cp. Throughout this chapter we work with a simple notation for streams over 
fuzzy channels which is described in the following. By s.j we denote the j-th element of the stream s 
and by acc c (s.j) we denote the degree of membership of s.j in dom.f Jype(c). Informally, the value 
acc c (s.j ) tell us to what degree element s.j is accepted by channel c. If we combine two elements (s.j, 
s.k | j,k E N Ay 7 ^ k) of a stream, their combination is rated according to the following scheme: 


(V) 


Lower: acc^(s.j,s.k) = (s.jAs.k) = min{(acc c (s.j),acc c (s.k)} 

Upper: accy(s.j,s.k) = (s.j V s.k) = max{(acc c (s.j),acc c (s.k)} 

For a finite number of elements in a stream we define analogously the acceptance degree of a stream s 
by: 

acci CO = min {acc(s.j)} \ acc t (s ) = max {acc(s.j)} (8) 

0 <j<#s 0 <j<#s v 7 

Since streams can have an infinite number of elements the above scheme converts to following equations 
for the infinite case: 


acci(s) = inf { acc(s.j )} | acc^(s) = sup { acc(s.j )} 

0 <y'<#i=“ 0<j<#s=°° 


(9) 
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Furthermore, we can combine not only elements of the same stream but also from different streams as 
well using the scheme above with following replacement in equation[7] (s.j/sl.j,s.k/s2.k). Thus, two 
or more streams can be combined in order to evaluate the upper and lower acceptance bounds. It is 
noteworthy to mention that the acceptance degree is not limited to the specified upper and lower bounds 
in this paper. A statistical representation for the acceptance degree is possible as well (e.g. acc(s) = 

#s 

A £ acc(s. j)). Which representation is best suited depends highly on the system characteristics. Hence, 
7—0 

while for a fault tolerant system like a VPP some could prefer the statistical mean representation for a 
safety critical system like an airplane the lower and upper bounds seems to be more appropriate. Finally, 
having established a strict notion for fuzzy types, channels and s tic am processing we introduce the notion 
of a fuzzy syntactic interface of a component: 

Definition 7 (Fuzzy syntactic interface). Given a set of fuzzy input channels If and a set of of fuzzy 
output channels Of we introduce the notion of a fuzzy syntactic interface of a component by ( If,Of ) or 
symbolic ( If>-Of ). 

4.2 Fuzzy Extension 

Theorem 2 (Fuzzy Type Extension). Let f : I" —>• O be a mapping from typed inputs (i\ : I\, : I n ) 

to a single typed output o : O. If the input becomes fuzzy through a fuzzy type assignment of the form 
(i\ : Th,...,i n : Tl n ) then the fuzzy type extension of O is given by: 

TO{o) d = sup{min{J-I\(i\),...,Tl n (i n ))}\ 

(* 1 ,e I n and o = /(z'i,...,/„)} (10) 


Example 4 (Stateless Fuzzy Behavior). We show how the extension principle is applied to a stateless 
adder with deterministic behavior o = f{i\,if). Let z'i : I\ , z '2 : h and o : O be of type I\ = {2,3,4} , 
h = {6,7,8} and O = {8,9,10,11,12}, respectively. We are seeking for the fuzzy output type TO if the 
input of / becomes fuzzy typed. 

fct f =(i'i : Ii,z '2 : 12 ) out o : 0{ fct f ={i\ : Tl\fi : Tlf) out o : ?{ 

ret i 1 + z' 2 ;} ret i 1 + z' 2 ;} 

Let, TI\= {0.5/2, 1/3, 0.5/4} be a fuzzy type representing the ’’fuzzy 3” and Tlr= {0.5/6, 1/7, 0.5/8} 
another fuzzy type representing the ’’fuzzy 7”. Now, according to Theorem[2j 

TO(o) = sup{min{Tl\{i \), Th(h)) \ h F hfi F h and o = /(z' 1 ,/ 2 )} 

Lor z'i + z '2 = 9 we receive: 

TO{i\ T z '2 = 9) = max{min(Th (3),TI 2 (6)),min(Th (2), J7 2 (7))} 

= max(min(] ,0.5), min(0.5, 1)) = 0.5 

Repeating for all o € O we obtain TO = {0/8,0.5/9,1/10,0.5/11,0/12}, which is the fuzzy type rep¬ 
resenting the ’’fuzzy 10” depicted in figure [5} A. 
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4.3 Fuzzy Component Behavior 

Recall from section [ 3 ] where component behavior was denoted by B : I —> pi O), meaning that input 
histories I are mapped to all possible output histories O over the set-valued function B we turn to the 
motivation of a general method which enables the mapping of fuzzy input histories to all possible fuzzy 
output histories over a set-valued function B, denoted by B : I—> p(0). A fuzzy behavior B is called 
deterministic if B(x) is a one element set for each fuzzy input history x. Such a behavior is equivalent to 
a function b : I -^O where B{x) = {b(x)}. 

Definition 8 (Fuzzy Behavior Extension). Let b : I — > O be a mapping from input histories / to output 
histories O. The fuzzy extension of b is given by: 

b.I^O 

where Vo £ O we apply the fuzzy type extension theorem [2] 

Definition 9 (a-Realizability). A fuzzy I/O behavior B is called a-realizable, if there exist a total func¬ 
tion b .1^0 such that: 


Vx £ /: b(x) £ B{x) A acc{b{x)) > a (11) 

[b\ a is called an a-realization of B. By |B] a we denote the set of all a-realizations of B. An output 
history y £ Bix) is called a-realizable for a fuzzy I/O behavior with input x, if there exists a realization 
[b\a G Ma with y = b(x). 

Example 5 (Stateful Fuzzy Behavior). Consider the following two programs (left: boolean, right:fuzzy) 
which is the stateful extension for the example [4] 

fct b =(;'] : \\,h '■ E) out o : O { fct b =(i\ : Tl\pi : fFh) out o : FO{ 

(first(ii) + first (/ 2 ))(c) (first(i'i) + first(E))© 

b (rest (i 1 ), rest (E))} b (rest (i 1 ), rest (E))} 

Now let E = (2, 3, 4, 3,3, 4,2, 3) be an input stream of fuzzy type Tl\ and E = (7, 6,6, 7, 6, 7, 9, 7) another 
input stream of fuzzy type J r E- Then, the fuzzy behavior b(i\. E) is 0.5-realizable but it is not 0.75- 
realizable as visualized in Figure [5]-B . 

Concluding this Section, we showed how to extend basic specification properties like realizability, in 
order to tackle with fuzzy behavior. In a similar way, theorem [2] and definition [8] provide the necessary 
tools for formalizing further specification properties such as safety, liveness, and fairness. 


5 Related Work 


In the last decade many research efforts are recorded in literature |4- 6|l2|15p 7 ^19|, where classical for¬ 
mal methods have been extended with probabilistic, stochastic, distance measurement, and multi-valued 
logic techniques in order to deal with uncertainties in modeling component-based interactive systems. 
However, uncertainty has two distinct facets: randomness and fuzziness both of which play basic roles 
in human reasoning, decision making and concept formation [261. While the former handles partial 
knowledge (lack of essential information) the latter deals with partial truth (inability to characterize in¬ 
formation). Thus, we intentionally leave probabilistic and stochastic systems outside the scope of this 
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Figure 5: (A) Fuzzy type extension for a stateless adder. (B) a-realization of stateful adder with fuzzy 
behavior b 


paper, concentrating instead on how to deal with partial truth. For the specification and development of 
interactive systems in consideration of probabilistic effects we refer to Neubecks dissertation 1191 where 
a theoretical framework for probabilistic systems is provided. 


Chechik et al. [;6jl introduces the concept of multi-valued model-checking and describes a multi¬ 
valued symbolic model-checker, ;zClick for analyzing models that contain uncertainty or inconsistency. 
They develop a modeling language based on a generalization of Kripke structures, where both atomic 
propositions and transitions between states may take any of the truth values of a given multi-valued logic. 
In addition to the theoretical foundation they present a model-checking algorithm which is illustrated on 
some examples. Finally, the formalization of specification properties such us fairness in multi-valued 
model-checking is addressed. While Chechik et al. concentrate on logics with a finite set of truth values 
(a 3-valued logic is evaluated in then - examples), we explore the case of continuous intervals of truth 
values. Furthermore, the concept of mapping strategies introduced in this paper enables the dynamic re¬ 
configuration of specified intervals of truth values, which is also an extension to the aforementioned work. 


With respect to formal specification based on fuzzy logic, Matthews et al. [ 181 suggests fuzzy set the¬ 
ory as a possible representation scheme to deal with uncertainty. The main contribution of their work is 
an extension of a set based specification language, namely Z. They develop a suitable fuzzy set notation 
within the existing syntax of Z. A summary of a toolkit is provided that defines the operators, measures 
and modifiers necessary for the manipulation of fuzzy sets and relations. In further work JT7J, Matthews 
illustrates how the toolkit can be used to specify a simple fuzzy expert system. However, their approach 
does not capture component interactions, which is the primary concern in this paper. 


Cerny et al. Q in a recent attempt pointed out that boolean notions of correctness are formalized 
by preorders on systems. To overcome the limitations of a two-valued logic, the authors introduce the 
notion of distances between two systems or between a system and a specification, and suggest quanti¬ 
tative simulation games as a framework for measuring such distances. They presented three particular 
distances: two for quantifying aspects of correct systems, namely coverage and robustness; and one for 
measuring the degree of correctness of an incorrect system. In a later work [|4j, the same authors ex¬ 
tend the quantitative notion of simulation distances to automata with inputs and outputs. The introduced 
interface distance, allows for measuring the desirability of an interface w.r.t. a given specification. In 
a direct comparison with the work presented in this paper one could say that both approaches pursue 
the same objective, namely to relax the boolean notion in formal specifications. However, the common 
objective is addressed by two distinct approaches. While Cerny et al. define for each property of interest 
a simulation distance and measure afterwards the deviation of all models, we rely on fuzzy set theory to 
soften the boolean notion. Hence, we suggest to formalize properties in terms of a-cuts and acceptance 
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degrees on vague descriptions and measure to what degree a property of interest is fulfilled by concrete 
models (e.g. a-Realizabilty of two behaviors). 

The restrictions of a two-valued logic are present also in systems with continuous behavior. Hen- 
zinger et al. presented in their recent paper [12j a model measuring framework for the hybrid case, 
where distances are represented by parametrized hybrid automata. Actually, they address the same prob¬ 
lem as described in | 5j for the hybrid case. In our approach, we consciously decided for fuzzy set theory 
because of the fuzzification property which allows the generalization of a distinct theory to a continu¬ 
ous one. Thus, the introduced concepts in this paper can be easily generalized to continuous behaviors. 
An interesting future research objective would be to analyze the trade-off between fuzzy and hybrid ap¬ 
proaches, in general. While hybrid automata make use of differential equations to describe a state, fuzzy 
approaches use vague rules. What is the distance between fuzzy descriptions and differential equations? 


6 Conclusion 


Tool Support. The intention of this work was 
not to present a concrete tool which is part of 
a tool demonstration but rather to establish the 
underlying theory required for the development 
of such a tool. Thus, we abstract away from 
the implementation details and present only an 
overview of a prototype under development de¬ 
picted in Figure [6] Xtext |8j, a framework 
for development of programming languages and 
DSLs is the starting point. It is used for the de¬ 
velopment of a model based specification lan¬ 
guage with support to the introduced concepts 
in chapters |3|4| The model based specifica¬ 
tion language generates the required parser and 
linker. Additionally, an eclipse plugin is gener¬ 
ated which enables full support for the specifi¬ 
cation language inside the eclipse IDE. Hence, Figure 6: Tool Prototype 

the integrated specification editor is used to transform the informal specification (requirements) into a 
formal specification which conforms to the developed language. Once, the informal requirements are 
formalized a series of model transformations becomes available. On the one hand, the specification can 
be transformed to executable models (Java and Simulink) which allows automated simulation for the 



system under development. On the other hand a generic theorem prover Isabelle [20] is used for the ver¬ 
ification and validation of system properties. Currently, there is only support for the introduced concepts 
in chapter [3] see for example Focus on Isabelle |23| . In particular, support for formal verification of fuzzy 
component behavior is a major future research direction. Hence, a primary concern is to develop/adapt a 
fuzzy theory toolbox in Isabelle which enables fuzzy reasoning inside the framework. 


Summary. In chapter [3] we introduced a specification technique based on fuzzy logic for interactive 
systems. In particular, we showed that a fuzzy rule based specification can be represented in terms of a 
black box view as a deterministic behavior and can be therefore modeled in a deterministic fashion by 
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means of automata. The introduced technique is well suited for modeling especially user and environ¬ 
ment interactions which are characterized by vagueness and uncertainty. The underlying Focus theory 
has been adapted to enable vague desriptions over fuzzy I/O ports. Finally, mapping strategy are intro¬ 
duced, which adapts fuzzy properties to the measured behavior over the I/O histories. Mapping strategies 
are well suited for formalizing self* properties. 

In chapter [4] we introduced fuzzy components and fuzzy behavior of them. We established a ba¬ 
sic notion for fuzzy types, channels and interfaces and provided basic operators on streams. A general 
method which enables the mapping of fuzzy input streams to fuzzy output streams over a set valued 
function is defined. The latter enables the modeling of fuzzy component behavior. Finally, we showed 
the fuzzy interpretation of basic specification properties like realizability. 

Outlook. Concluding, we point out that our proposed method allows to capture certain system aspects 
which can not be represented by formal methods based on a two-valued logic. However, the work pre¬ 
sented here is only an introduction towards a complete theory for fuzzy interactive systems. Basic system 
concepts as composition and decomposition, refinement, interface abstraction and architecture, to name 
only a few, have to be addressed in more detail. Last but not least from a more practical point of view 
specification techniques such as tables and diagrams and tool support in the form of AutoFocus |2j are fu¬ 
ture directions we have to go in order to set up more practical case studies to evaluate the expressiveness, 
completeness, and effectiveness of the introduced approach. 
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